[SUMMARY] Hardening Tru64 5.1 from Paul Reilly on 2001-03-10 (tru64-unix-managers)

From: Paul Reilly <pareilly_at_tcd.ie>
Date: Fri, 09 Mar 2001 15:30:53 +0000 (GMT)

Thanks to:

Graham Allan <allan_at_physics.umn.edu>
kat <kathee_at_mindiq.com>
Nikola Milutinovic <Nikola.Milutinovic_at_ev.co.yu>
Benjamin Smith <smith.benjamin_at_epa.gov>
Arno Hahma <arno_at_azido.pp.utu.fi>
Hank Lee <hank_at_employees.org>

These are just a few replies I got to specific questions. Mainly about the
number of open ports on a default install, and what can safely be turned
off. I understand a number of people are working on a more general and
comprehensive 'hardening' guide.

I'll probably compile my own hardening checklist for internal use, and
will post that to the list when done. For now, here are the summaries of
responses I got.

Thanks all,
Paul

Hardening Tru64 Quick Summary of Replies
=========================================

Re: Open Ports
==============================================

* Why does AdvFS need a tcp socket?

It is for AdvFS GUI/daemon coupling. Unless you really want to remotely
administer your AdvFS, you can turn it off.

advfsd needs it for networked maintenance. If you don't need the graphical
user interface, you can switch off advfsd and then it shouldn't need
any sockets either. Better check on advfs and advfsd man pages, though.

* I'm not running X - can dtspc be turned off?

Sure.

* What about kdebug?

I always turn that off. In the kernel.

* Do I really need the config management server running?

Those were known to have security bugs in them. And, no, you don't need
it.

* I haven't configured EVM - can it be turned off?

Hmm, what's EVM? EVent Manager? Kill it.

Web Pages / Courses / Guides
===============================================
Courses ---> www.mindiq.com

Security Guides -->

we've used http://www.sabernet.net/papers/Tru64.html as a basis. The
printer port can be disabled by turning of lpd; I've disabled both cfgmgr
and kdebug under 4.x from inetd.conf with no problems, and turnedoff AdvFS
by disabled advfsd in init.d.

Other
=====================================================

IPfilter should now work on Tru64 v.5.1

In addition to fortifying the OS itself, it might be advisable to look
into installing a packet filtering tool on the server.

http://cheops.anu.edu.au/~avalon/ip-filter.html

Perhaps this can be something to slip in place to help you find out just
which of these open ports you can life without.
Received on Fri Mar 09 2001 - 15:31:45 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:41 NZDT